What the Onslow Water and Sewer Authority Can Teach About Responsible Disclosure

Critical Infrastructure Operators Must Plan for Scenarios in Which a Physical and Cyber Event Occur Simultaneously

Malware attacks, and their effect on industrial enterprises, are among the most significant trends driving cybersecurity over the last 18 to 24 months. These incidents are vicious because they can cripple IT operations and bring business to a screeching halt. But as the infamous WannaCry and NotPetya experiences taught us, these attacks can also impact operational technology (OT) networks. An infection that begins on an office desktop can find its way into industrial environments thanks to the rapid growth in interconnectivity that is sweeping across nearly all industry verticals.

We’ve witnessed malware victimizing enterprises ranging from small government agencies to massive, multinational corporations and, last month, we saw another high-profile chapter unfold as Onslow Water and Sewer Authority (ONWASA), a water utility in North Carolina, disclosed that a ransomware attack had left it with limited computing capabilities. But out of the damage caused by the attack also came some valuable lessons and best practices for responding to a crisis.

This case study is worth exploring in more detail for several reasons. First, it is commendable to see such a swift, responsible, and transparent disclosure by the water utility. Second, the fact that the malware did not bleed into ONWASA’s OT networks is indicative of either luck, good cyber hygiene, or a combination of both. And lastly, the proximity of the attack’s timing to Hurricane Florence highlights the degree to which incident response plans must account for physical and environmental conditions.

Let’s delve deeper into each one of these points.

Swift, Responsible, and Transparent Disclosure

As mentioned, ONWASA first discovered the malicious activity on October 4th. The malware EMOTET, a known trojan that typically targets the financial sector, was persistent on their network and ultimately launched the Ryuk ransomware on October 13th. Just two days later, ONWASA’s CEO, Jeffrey Hudson, released a detailed press release outlining the background of the infection and the steps taken by the utility to mitigate what he described as a “targeted” operation carried out by cyber criminals. By this point, at least some of their customers were undoubtedly experiencing problems interfacing with the utility, either online or otherwise. Hudson’s statements were critical to assuaging any concerns among ONWASA’s customers that the water supply was threatened or dangerous to consume. He drew a clear distinction between ONWASA’s business operations and their water operations. “The safety of the public’s water supply and the area’s environment is not in danger,” Hudson said, noting that “the crisis is technological in nature.” It’s clear and concise messages like this that engender public confidence and combat unnecessary hype about these incidents.

Containing the Incident

Part of the reason the messaging was so successful in this instance is because the scope of the incident was limited to business services. In cases of ransomware impacting organizations with a sizeable OT footprint, such as public utilities, containing the incident is usually a product of good cyber hygiene, luck, or some combination thereof. Without knowing the specifics of this case it’s impossible to attribute a reason to the lack of operational impact, but suffice it to say, they likely had at least some network segmentation in place to avoid a spillover. The press release states that ONWASA had “multiple layers of computer protection in place, including firewalls and malware/anti-virus software.” Given that ONWASA’s main office was penetrated but it’s OT networks were not, it’s likely that the infected PCs and servers did not have access to the OT networks.

Ryuk, unlike some other commonly observed ransomware variants, tends to be highly targeted so it’s highly likely that the perpetrators did not intend to impact ONWASA’s OT networks. That said, and as we’ve learned over the last two years, these attacks can easily exceed the intended effect due to poor cyber hygiene on the part of the victim. In this case, that did not happen.

Timing is Everything

Finally, perhaps the most consequential part of this story is that the attack occurred relative to Hurricane Florence, the Category 4 storm that struck the Carolinas less than a month earlier in September and brought more than 35 inches of rain. The aftermath of such a storm is perhaps the most critical time for a water and sewage utility like ONWASA. Their operations are fundamental to ensuring the health and safety of citizens during the recovery process.

Fortunately, in this case, water and wastewater services were not disrupted and ONWASA’s plants were capable of operating manually until the affected systems were restored. This highlights two critical points.

First, all critical infrastructure owners and operators must plan for scenarios in which a physical and cyber event occur simultaneously. Critical infrastructure in general and OT networks specifically are most vulnerable to cyber attacks during or immediately after a significant natural disaster event. It is entirely possible that the actor behind this ransomware attack seized this specific moment to achieve their objective.

Second, asset owners and operators must exercise the transition from computer-based to manual operations in the event of a compromise, even if it is limited in scope to IT systems. If resilience is measured by how organizations perform while under threat, be it natural or man-made, then operating without relying on computer-based systems is a foundational requirement for success.

It’s rare that we look back on these incidents with positive takeaways, but while monumental efforts still remain for ONWASA to return its services to a normal state, they should be commended for how they responded to this event. From a communications and technical standpoint, they turned a horrible event into a strong success story on many fronts.

Galina Antova is the Co-founder and Chief Business Development Officer at Claroty. Prior to that, she was the Global Head of Industrial Security Services at Siemens, overseeing development of its services that protect industrial customers against cyber-attacks. She was also responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services for industrial control systems operators. Previously, Ms. Antova was with IBM Canada, with roles in the Provisioning and Cloud Solutions business. She holds a BS in Computer Science from York University in Toronto, and an MBA from the International Institute of Management and Development (IMD) in Lausanne, Switzerland.